Dashboard authentication (OpenShift)#
Introduction#
This documents the configuration settings to enable an OAuth2 proxy in front of the Aspen Mesh dashboard on an OpenShift cluster. This uses the built-in OpenShift OAuth system to ensure that only authenticated users in your organization can access the dashboard.
Setup#
To enable the proxy with default options, set .aspen-mesh-controlplane.userAuth.type
to oauthOpenshift
in your Aspen Mesh override values file:
aspen-mesh-controlplane:
userAuth:
type: oauthOpenshift
Additional Configuration#
You can specify additional OAuth configuration using .aspen-mesh-controlplane.userAuth.oauthOpenshift
parameters:
aspen-mesh-controlplane:
userAuth:
type: oauthOpenshift
oauthOpenshift:
host: aspenmesh.example.com
host (string)
#
(Optional) Hostname where users will log in to Aspen Mesh.
If provided, we will automatically configure a route named
aspen-mesh-controlplane
with this hostname and options to properly integrate into OpenShift’s OAuth authentication workflow.If not provided, a route will not automatically be created. You must create a route named
aspen-mesh-controlplane
in theistio-system
namespace with your preferred options, or use some other load balancer to expose theaspen-mesh-controlplane
service to your users and integrate that load balancer with Openshift OAuth. Here is an example of manual route creation:$ oc create route edge aspen-mesh-controlplane \ --namespace istio-system \ --service aspen-mesh-controlplane \ --port 19001 \ --insecure-policy Redirect
Deploy#
After the configuration settings are in place, upgrade the istiod
release to create the OAuth proxy service and update/create the associated resources:
$ helm upgrade istiod manifests/charts/istio-control/istio-discovery \
--namespace istio-system \
--values aspen-mesh-override-values.yaml \
--wait
Authenticate via Openshift OAuth#
Visit
https://<DOMAIN>
in your browser and you should see a button labeled “Log in with OpenShift.”Click the button and complete the login process.
You will be taken to Openshift to authorize the permissions requested by the
aspen-mesh-controlplane
service account.Click the “Allow selected permissions” button to access the Aspen Mesh dashboard.
To log out, visit
https://<DOMAIN>/oauth2/sign_in
, or delete the cookies from your browser for your cluster’s domain.